Troubleshooting FAQ

The Troubleshooter PDF has the most commonly asked questions and resolutions. Read it first.

Here are some less frequently encountered questions not in the PDF. They change periodically as we get new ones.

Q. I have a PC that runs the audit but nothing saves and I don't see anything in the error logs where the audit modules run from. Is there some way to find out what's going on?

This is indicative of a permissions problem. First check if the user has read, write, create, delete, execute permissions for the folder where ezstart.exe, ezscan.exe etc. are located.

Check the affected PC's Application Event Log. You can remote into that machine and have a look at the Event Viewer. The error and description will be there if the scanner module indeed launched and encountered a problem.

A further step to take is to check that the affected PC is in fact launching the audit: Check that Group Policy is running and if so if there are errors, e.g. using GPRESULT.

Q. I have some PCs where the ezscan.exe module runs but never terminates or takes a very long time to terminate.

If the audit module can't communicate to the server, or the server becomes unavailable, then it's "orphaned" at the user's PC. The module is launched from and resides on the server, but runs at the PC. So, it can't 'terminate' the process.

Another possibility is, it actually is waiting to do it's thing. If you set a very long delay in the configuration file before it's supposed to start the audit, then it's just waiting for that period to elapse. If you put into the config to wait, say, 600 seconds - that's 10 minutes that it'll sit there waiting before moving on to perform the audit.

Q. Some PCs are getting a security warning from Windows when running an audit. Why?

Do not use an IP address as the path to the share from your server. Windows treats an IP based path as an untrusted zone so you'll see that. So instead of using the server IP for your share like \\192.168.0.1\ezaudit\, use \\servername\ezaudit

If you see this (image below), you have some misconfigured trusts between servers and/or clients. The warning sounds scary, but it's not actually true - they're digitally signed but whatever logic Windows uses doesn't get that information. It seems to be a catch-all fallback error. The files are safe, its a relationship trust problem with the affected machine and where the audit modules are being run from.

The full solution involves fixing these domain related issues, which is not possible for us to advise on - that's a Microsoft support issue.

But there is a quick fix that we can share - and it's not a solution since the trust issues exist and should get fixed. This just gets you past the problem until you hunt down the issue on your domain.

Do this on the affected machine: Open Control Panel > Internet Options, then do the steps as shown:

"Best practices" is to not have the Admin Console installed to a server, as with any program that doesn't need to be on a server.

If the requirement at your end is to have multiple users access the Admin Console, our licensing permits installs to multiple PCs, for example for tech support staff or others that may need access to it.

It is not, however, designed to be accessed by multiple users from a server location, e.g. launching at a user's PC via a shared folder. Doing so can corrupt data, cause hangs, etc. Don't do this.

The Console was designed for single user use. Multiple users running that Admin Console at their own PC from a local install can all access the data at the same time.

To be clear, you can have multiple users access the data from their own PC with the Admin Console installed at each of their PCs, just not multiples launching one install from a share.

Any program can hang or crash, often through no fault of the program itself. If something hangs on a PC, rebooting only annoys and affects one user. Rebooting a server can be a big deal.

Also, Internet Explorer on a server is usually locked down which can break a lot of stuff that doesn't seem to have any obvious bearing to IE. Some necessary functionality in the ezaudit Admin Console could (read: probably) be affected.

For example you may see:

Seriously, don't install to a server.

Q. When I go to run On-Demand, machines that I know launched don't show up. What's happening?

If the machines have gone to sleep for a while they are assumed unavailable. Upon their being logged back in they become available again to be audited. At some point they do become considered "dead".

If the machine has been shut down, then naturally it will stop showing available until it's started and the user logs in. (Exception to the login would be servers where you can create a task to launch ezaudit at startup and have it run as the SYSTEM "user". Read this PDF document for all about On-Demand auditing.)

Also, you can check the "errorlog.txt" file in the same folder as ondemand.exe is located in and look for the affected PC. Any problems are logged there.

Of course, the logging can only happen if a) users have read, write, create, modify permissions to the server share where ezscan.exe, ondemand.exe etc. are located and that indeed the module actually launched. See our Troubleshooter PDF for permissions issues, Group Policy issues and more.

Additionally, errors are also logged to the affected PC/Server in the Event Viewer for Windows > Application.

Q. Why are some of my audits being reported as 'bad' and renamed with a .badEZ{version} extension?

These are the typical reasons:

The file has been renamed. Do not rename audit files.

The file has been tampered with. Speaks for itself.

The file got damaged somehow. Ever had a critical Excel file that refuses to load or a broken .PST? Like that.

The file is in a location that can't be read (e.g. open/read permissions etc.)